THE ACC, MID-AMERICA CHAPTER Mutual of Omaha Insurance Co. Omaha, NE

From this document you will learn the answers to the following questions:

What solutions were developed to help protect personal devices?

What did BYOD and Mobile Security Report release in 2016?

Whose information is included in the BYOD Adoption?

Similar documents
Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Network Security & Privacy Landscape

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations

BYOD: Bring Your Own Device Advantage, Liability or Both?

CSR Breach Reporting Service Frequently Asked Questions

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

Violation Become a Privacy Breach? Agenda

Bring Your Own Device Security and Privacy Legal Risks

Bring Your Own Device (BYOD)

Creating a Bulletproof BYOD (Bring Your Own Device) Policy for Personal Devices At Work

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Data Security in the Insurance Industry: WHAT YOU NEED TO KNOW

Speakers. Michael R. Overly, Partner, Yusuf Cassim, Senior Corporate Counsel & VP,Charles Schwab & Co., Inc. Foley & Lardner LLP

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

BYOD At Your Own Risk Working in the BYOD Era. Shane Swilley (503)

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

CYBER RISK MANAGEMENT IN THE BOATING INDUSTRY

Adams County, Colorado

Southwest Airlines 2013 Terms of Use Portable Devices Feb 2013

How To Make Bring Your Own Device A Plus, Not A Risk

BYOD: BRING YOUR OWN DEVICE

Privacy Law Basics and Best Practices

Third Thursday Crowell & Moring s Labor & Employment Update June 20, 2013

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

BYOD for 501(c)s: Pros and Perils of Bring Your Own Device

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Definitions. Catch-all definition:

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Healthcare to Go: Securing Mobile Healthcare Data

Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

OCR UPDATE Breach Notification Rule & Business Associates (BA)

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

A 5-STEP PLAN TO PREPARE FOR HEALTHCARE. A Complimentary White Paper from

Hot Topics and Trends in Cyber Security and Privacy

Specific Terms and Conditions of LINE Services for Business Partners: LINE Business Connect

The Importance of Privacy & Data Security in a Changing World

A Privacy and Cybersecurity Primer for Nonprofits

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Data Protection Act Bring your own device (BYOD)

My Docs Online HIPAA Compliance

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Bring Your Own Device Policy

The BYOD of Tomorrow: BYOD 2.0. What is BYOD 1.0? What is BYOD 2.0? 3/27/2014. Cesar Picasso, MBA SOTI Inc. April 02, 2014

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

BYOD Policy for [AGENCY]

Data Security in a Mobile, Cloud-Based World

Network Security & Privacy Landscape

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Mobile Devices in the Workplace: What Every Employer Needs to Know

Managing Mobile Devices in a Device-Agnostic World Finding and Enforcing a Policy That Makes Business Sense

Bring Your Own Device. Individual Liable User Policy Considerations

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

Business Associate and Data Use Agreement

Tuesday, June 5, 12. Mobile Device Usage

CLS Investments, LLC Instructions for the Solicitor Application and Agreement

BYOD BEST PRACTICES GUIDE

Insert Partner logo here. Financial Mobility Balancing Security and Success

Mobile Devices Policy

Security, privacy, and incident response issues are often

Why Encryption is Essential to the Safety of Your Business

plantemoran.com What School Personnel Administrators Need to know

Guylyn Cummins, Esq. Elizabeth Balfour, Esq.

How To Buy Cyber Insurance

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

Data Processing Agreement for Oracle Cloud Services

Executive Vice President of Finance and

Information Technology: This Year s Hot Issue - Cloud Computing

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

BYOD & MOBILE SECURITY: EMPOWERING EMPLOYEES WHLE SECURING CORPORATE ASSETS

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Presented by: Jason C. Gavejian

Mobile Security Market Trends and Best Practices. 24 May 2013

Protecting Personal Information in Third Party Hands An Overview of Legal Requirements

Online Lead Generation: Data Security Best Practices

Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014

BYOD Policies: A Litigation Perspective

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Managing data security and privacy risk of third-party vendors

HIPAA Requirements and Mobile Apps

Aragon Research RESEARCH NOTE. Workplace Service. Mobile Security in a BYOD World

Background. Liwei Ren. Trend Micro

How To Write A Mobile Device Policy

"Bring Your Own Device" Brings its Own Challenges

The New York Consumer Protection Board s Business Privacy Guide:

HIPAA BUSINESS ASSOCIATE AGREEMENT

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

This form may not be modified without prior approval from the Department of Justice.

BYOD PARTNER QUESTIONS YOU SHOULD ASK BEFORE CHOOSING A. businessresources.t-mobile.com/resources. A Buyer s Guide for Today s IT Decision Maker

I ve been breached! Now what?

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

Sample Business Associate Agreement Provisions

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.

Transcription:

1 1 WEDNESDAY May 18 THE ACC, MID-AMERICA CHAPTER Mutual of Omaha Insurance Co. Omaha, NE 12:00 PM LAURA CLARK FEY, Esq., CIPP/US, CIPP/E, CIPM Fey LLC, Leawood, KS

Agenda 2 BYOD Stats Legal Risks Associated with BYOD Recommendations to Address Legal Risks

3 3

BYOD Adoption 4 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)

BYOD Availability by Sector 5 bitglass Source: How Forward-Looking Industries Secure BYOD, 2016 (Bitglass)

Supported Users 6 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)

BYOD Drivers and Benefits 7 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)

BYOD Barriers 8 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)

BYOD Security Concerns 9 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)

Why Mobile Devices Pose a Risk in the Workplace 10 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)

Company-Related Data Employees Access through Mobile Devices Versus What Information Security Thinks They Can Access 11 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)

Mobile Data Breaches 12 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)

Risk Control Measures 13 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)

Risk Control Measures 14 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)

Risk Control Measures 15 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)

16 16

Special Challenges for Protecting PII and Other Confidential Information on Personal Devices 17 Personal devices are commonly lost or stolen Hard to enforce security requirements on personal devices Employees selling or trading in devices may fail to completely and securely delete sensitive information

Wiping Data from Devices Upon Employee Departure 18 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)

Failure to Comply with Privacy Obligations to Consumers 19 HIPAA Gramm-Leach-Bliley FINRA PCI DSS EU General Data Protection Regulation (May 25, 2018)

Failure to Comply with Privacy Obligations to Employees 20 Some jurisdictions require notice prior to any employee monitoring Intrusion on employee privacy may result in litigation Loss of employee-owned data on a personal device also may result in litigation

Failure to Comply with Privacy Obligations Can Result in Data Breaches 21 Data breach notification obligations Regulatory or state attorney general investigations Civil lawsuits

Failure to Comply with Legal Hold Obligations 22 Legal hold obligations extend to personal devices when used for business purposes General Rule: Unique legal hold-related information on personal devices must be preserved Failure to preserve can result in significant sanctions

Other Legal Risks Loss of necessary access to information by others with business needs Failure to compensate for overtime work performed remotely Liability from texting while driving accidents Breach of confidential entity data Payment disputes with employees 23

24 24 Risk Plan

Ten Recommendations to Protect Data (Including PII) on Personal Devices 25 Ensure risk assessments address personal devices Implement appropriate technology solutions Enforce prohibition on usage of banned apps Enforce screen locks, encryption, strong passwords, and anti-malware protection Require employees to keep personal devices up-to-date

Ten Recommendations to Protect Data (Including PII) on Personal Devices 26 Prohibit jailbreaking and rooting Secure your network against rogue devices Ensure ability to wipe company data from device Implement and train on procedures for selling, replacing, or discarding personal devices Define security incident procedures for personal devices

Bonus Recommendation: Implement and Train on Strong BYOD Policy 27 Consider all perspectives Develop comprehensive BYOD Policy clearly setting forth both entity s and employees rights Implement BYOD Policy through training, FAQs, and other educational resources Monitor compliance, and periodically review and update BYOD Policy Review and update related policies and procedures touching on BYOD

Five Recommendations to Address Employee Privacy Risks Require employees to segregate personal data Retain record of unambiguous, written employee consent to BYOD Policy 28 Ensure BYOD Policy clearly sets out rights to monitor, access, review, and disclose company or other data on personal devices, as well as employees obligations Address privacy concerns while planning for preservation of information on personal devices If possible, provide notice and obtain consent before wiping or destroying data on personal devices

Five Recommendations to Address Legal Hold Risks 29 Ensure policy language addressing legal hold compliance is broad enough to cover legal hold-related information on mobile devices Update legal hold procedures to cover preservation of information on personal devices Promptly identify and preserve legal hold-related information on personal devices Provide clear instructions to employees to suspend auto deletion and take other steps to guard against changing or deleting data Update offboarding processes to address preservation of legal hold-related information

Five Recommendations to Address Other Legal Risks Access to Information: Prohibit storage of unique customer/client information on personal devices Overtime Disputes: Where appropriate, prohibit non-exempt employees from working after hours; if not prohibited, require employees to account for time 30 Texting/Driving Risks: Prohibit texting while driving by policy Breach of Confidential Entity Data: Implement DLP systems and offboarding processes Payment Disputes with Employees: Clearly address who pays for the device, as well as voice and data access

ANY QUESTIONS? 31 31

32 32 For further information on developing a BYOD Policy; developing and implementing BYOD training; reviewing your organization s current processes for collecting unique information subject to legal hold from employees personal devices; or other information governance topics, please contact me. Laura Clark Fey, Esq., CIPP/US, CIPP/E, CIPM Principal, Fey LLC E - Mail: lfey@feyllc.com Direct: 913.948.6301 Mobile: 816.518.6554 Website: www.feyllc.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information